It’s common that a modern web site will want the advantages of Varnish Cache’s excellent programming model in tandem with a WAF.
We’ve been looking at this space for a while and we’ll show you what we have found. Let us know if you’ve seen anything else.
WAF inside Varnish Cache
We’ve seen a few projects work on getting a WAF to examine requests directly in Varnish Cache. An example of this is the Varnish Security Firewall. After over a year in the wilderness, a few recent commits have appeared on the project to make it compatible with Varnish Cache 4.0.
There’s also the Varnish Firewall which was last updated in 2012.
Both of these WAF options inside Varnish Cache contain XSS and SQL Injection protection mechanisms. We were unable to find any testing results using these systems.
ModSecurity with Varnish Cache
We searched for a Varnish Cache VMOD that facilitated the ModSecurity core library running inside Varnish Cache natively without success.
ModSecurity runs effectively in Apache and Nginx, and using these as a WAF proxy behind Varnish Cache works well.
User traffic comes to your site, and you use some SSL termination proxy to direct traffic to Varnish Cache. Varnish Cache is then configured to fetch from your ModSecurity WAF proxy layer. Then, configure the ModSecurity proxy layer to fetch content from your application.
Considering the heavy performance impact of a decent ModSecurity ruleset, caching is recommended by the ModSecurity developers. Have a look at the ModSecurity Performance Recommendations where the first recommendation is to put Varnish Cache or another effective HTTP cache in front.
Varnish Cache with other WAF Proxies
Using the technique above you can also substitute ModSecurity for a different WAF. An actively developed proxy that takes a different angle on WAF is the NAXSI WAF that runs inside Nginx.
At that stage you might ask yourself “Why would I use Varnish Cache when I have Nginx? Nginx is fast and has caching capabilities too”.
We really like Varnish Cache’s VCL. It allows us to creatively solve problems with HTTP requests and responses without modifying the application. This allows us to somewhat separate caching concerns from our application. In nginx, the ngx_http_proxy_module provides caching capabilities that cache according to the cache rules sent from our origin responses. You’ll need to make sure your application’s web server is sending the right headers, and this can sometimes be done really easily in Varnish Cache.
Final Thoughts
When deploying these systems don’t forget your metrics and log management. Its great to surface your metrics and logs in a usable way that means you don’t need to log onto your servers to see what’s happening. You’ll probably also need some kind of alerting system that lets you know when something is going wrong. Have a look at our other blog articles for some ideas on metrics systems.
